Products and Services

Website

Latest News & Comment

Comment: 2018/02/15 - NCSC announce Russian Military behind NotPetya.
In interesting times, we have a somewhat unprecedented statement from NCSC regarding the source of the NotPetya attack last year. The FCO have followed suit as have the US.

Is anyone for cyber escalation?

Comment: 2018/02/14 - More Apple fails.
What is going on with Apple at the minute?

The biggest issue is the fact that the source code for the iBoot secure bootloader has been leaked to GitHub. Lawyers have issued a takedown notice. Without conducting extensive analysis, it's difficult to tell how damaging this is. It is for an old version of iOS, but even if it weren't, best practice for devops should keep secrets away from code.

In more bad news, there's a fault with the way that many iDevices render text. Information here.

Comment: 2018/02/13 - Sunset on revolutionary IT.
Way back in 2015, I read Commodore: A Company on the Edge in one sitting. It spoke to me about my childhood and adolescent geekism. At the time, I said that the sequel, Commodore: The Amiga Years would be published that November.

Following a fairly rocky path, where even the author said it was cancelled, itís been published. Itís been a wonderful trip back to when technology was personal, was simpler and wasnít about assimilating data and tracking you. I thoroughly recommend it as an alternative view of the IBM and Apple dominated history.

And in a very similar vein, here's a book about the downfall of Nokia. I still have used more Nokia phones than any other manufacturer over the years. (Seven Nokia devices from the 7110 to the E72 versus six BlackBerry devices from the 9800 Torch to the KeyONE.)

A popular browser plugin used for website accessibility appears to have been trojanned. The trojanned version causes a users browser to start crypto-mining. Whilst this is bad, the code doesn't persist beyond that particular browser session. I can't help feeling that the sensationalist journalism is worse. I would hope that the NCSC advice on what was a fairly trivial attack was released partly as a response to the FUD.

The Guardian are reporting that the Olympic Games were hit by a cyber attack during the opening ceremony. Analysis of the alleged malware here.

Comment: 2018/02/05 - Cyber and the NHS.
The Guardian are reporting that every NHS trust has failed a cyber security test. Whilst it's not clear what that test is, rumour has it that it's CyberEssentials (or CyberEssentials Plus).

The NHS have always been different when it comes to information security. They don't follow a traditional IA model - at least if you've got a background in anything other than healthcare security.

I've been called upon to respond to a devolved government consultation on improving cyber resilience. It made me laugh as it added nothing to the wider UK scheme, except that it allowed another administration to stand up and say they're doing something positive about cyber-security.

There are two bits that really annoyed me about the consultation:-

The first is that they're mandating all public organisations achieve a minimum baseline of CyberEssentials Plus. They fail to recognise those public sector organisations who do other things that are better or more mature than that baseline such as ISO27001 certification, formal accreditation and even the NPIRMT GIRR. In essence, it's a waste of time and tax payers money.

The other thing that annoys me is the band wagon that certain consultancies have jumped on in order to provide CyberEssentials advice to those public sector organisations. These are being funded by the same devolved government. Look who "owns" the IPR for CyberEssentials. It's a company called IASME. IASME stands for "IA for Small and Medium Sized Enterprises". In the UK, a company is defined as being an SME if it meets two out of three following criteria: It has a turnover of less than £25m; it has fewer than 250 employees; & it has gross assets of less than £12.5m. The main USP of CyberEssentials is that it's largely simple enough for any organisation to do themselves, with the specialist advice being limited to the areas that add real benefit such as the pentest.

Comment: 2018/01/08 - Domestic Travel Advice 2018 Edition, Issue 1.
It would be sod's law that as soon as we published the most recent version of Domestic Travel Advice, the 2018 edition would rock up with very significant changes to the content and layout.

Comment: 2018/01/04 - Spectre and Meltdown CPU flaws.
In the increasing war for GHz, it transpires that Intel, AMD, ARM and probably every other CPU manufacturer in the world have being playing loose and free with the security of the host OS for the last ten to twenty years.

The major IT vendors have known about this for a wee while now, and were attempting to co-ordinate updates and rumour has it, that it was supposed to be disclosed next week. It appears that The Register broke rank, and published the news early.

The flaw, which has been categorised into three different CVEs, are present because of the way that processors optimize performance. The original research paper for Spectre is here and for Meltdown, here.

The first advice from NCSC was laughable. That said, Iíve seen grown adults who pass themselves off as security professionals struggle to understand the implications of the flaw, with various knee jerk reactions highlighting the performance hit for patched systems. The situation is no-doubt compounded by the mainstreampresscoverage.

The initial advice from CERT highlighted that these vulnerabilities are unlikely to be entirely patchable.

NCSC eventually produced better advice with links to statements of fact from the various vendors. As an example of the BS surrounding this, The Register analysis of the Intel statement is worth a read.

It would be easy to laugh this off and put your head in the sand, but this is a fundamental flaw in the way that certain microprocessor architectures have been designed. Is it a co-incidence that Intelís CEO Brian Krzanich dumped a load of stock making about $25 million US in the month before the disclosure? Certainly it appears that Intel will be subject to an investigation.

Back in the real world, where do we stand? Having done considerable research, all the vulnerabilities still require a foothold on a compromised machine. Good "cyber-hygiene" will continue to prevent bad things happening.

In summary:-

Spectre: CVE-2017-5753 (Variant 1 - Boundary check bypass) and CVE-2017-5715 (Variant 2 - Branch target injection). Intel, AMD and ARM processers are vulnerable, but an exploit requires a significant knowledge of the target environment. A complete fix is unlikely as it requires CPUs to be re-engineered.

Meltdown: CVE-2017-5754 (Variant 3 - Rogue data cache load). Seemingly only Intel CPUs are vulnerable although ARM have submitted patches for this particular vulnerability. This is easy to exploit, but easy to fix Ė with a question over a resulting performance impact.

In terms of performance:-

Desktop file and print is unlikely to have much of a performance hit. I/O will have a performance hit, but it wonít be massively noticeable.

Enterprise applications, on the other hand, do have a significantly degraded performance. Given the nature of these systems, it could be a risk based decision as to whether to patch these systems at all. If a database server is at the bottom of a software stack, it is a reasonable position that the performance takes precedence.

There are major concerns regarding systems running as a virtual host, or the virtual machines themselves. Anecdotal evidence suggests the main cloud providers are experiencing a not insignificant performance hit, although thereís been little public voicing of this from their customers. Scalability has a benefit!

A good list of manufacturers and their patch status.
Update: 2018/01/06 - Here comes the class action lawsuits.

Comment: 2018/01/03 - Website update.
Very observant readers will notice that we have subtly changed the website. There are not many content changes: Just a few things updated, old stuff removed and Domestic Travel Advice now has itís own permanent page here under Products and Services. Because of the wide-ranging nature of the update, there may be a few glitches, but we'll get them ironed out as we find them.

Enjoy!

Comment: 2018/01/01 - Happy New Year!
Once again, as the clock ticked past midnight, BladeSec IA Services became another year older as we celebrated our sixth birthday. Who'd have thought that so many of our clients share our views on how information assurance consultancy should be done!

As usual: That means it's time for our tongue in cheek look at the last twelve months:-

Miles to closest job: 40.6 miles.

Miles to farthest regular job: 187 miles.

Largest number of miles covered in a single job: 2434 miles (at no cost to the customer - we even expect to rack up another 1156 miles before January has gone.)

Number of products sold: Nil.

Number of different BladeSec IA services sold: 3.

Amount of money received for anything other than consultancy: £nil.

Number of customers assisted in the last twelve months: 5.

Number of individual projects worked on: 12.

New customers: 3.

Number of tenders submitted: 3.

Most interesting place visited: Unfortunately this year, we're not allowed to say!

Value of donations made by BladeSec IA to support good causes: £310.

Amount of time donated by BladeSec IA staff pro-bono: 13 days.

Number of redundant BlackBerry phones in the "spare handsets box": 5.

Number of pages printed on the office colour laser this year: 3570.

Number of pages printed since the supply level went to Very Low: 1141.